[Senate Hearing 112-867]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 112-867

 
   YOUR HEALTH AND YOUR PRIVACY: PROTECTING HEALTH INFORMATION IN A 
                             DIGITAL WORLD

=======================================================================

                                HEARING

                               before the

                        SUBCOMMITTEE ON PRIVACY,
                         TECHNOLOGY AND THE LAW

                                 of the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                            NOVEMBER 9, 2011

                               __________

                          Serial No. J-112-51

                               __________

         Printed for the use of the Committee on the Judiciary


                  U.S. GOVERNMENT PRINTING OFFICE
87-166                    WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  


                       COMMITTEE ON THE JUDICIARY

                  PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin                 CHUCK GRASSLEY, Iowa
DIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah
CHUCK SCHUMER, New York              JON KYL, Arizona
DICK DURBIN, Illinois                JEFF SESSIONS, Alabama
SHELDON WHITEHOUSE, Rhode Island     LINDSEY GRAHAM, South Carolina
AMY KLOBUCHAR, Minnesota             JOHN CORNYN, Texas
AL FRANKEN, Minnesota                MICHAEL S. LEE, Utah
CHRISTOPHER A. COONS, Delaware       TOM COBURN, Oklahoma
RICHARD BLUMENTHAL, Connecticut
                                 ------                                

            Subcommittee on Privacy, Technology and the Law

                    AL FRANKEN, Minnesota, Chairman
CHUCK SCHUMER, New York              TOM COBURN, Oklahoma
SHELDON WHITEHOUSE, Rhode Island     ORRIN G. HATCH, Utah
RICHARD BLUMENTHAL, Connecticut      LINDSEY GRAHAM, South Carolina
                Alvaro Bedoya, Democratic Chief Counsel
                Elizabeth Hays, Republican Chief Counsel


                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Franken, Hon. Al, a U.S. Senator from the State of Minnesota.....     1
Coburn, Hon. Tom, a U.S. Senator from the State of Oklahoma......     4

                               WITNESSES

Lynch, Loretta, U.S. Attorney for the Eastern District of New 
  York, U.S. Department of Justice, Brooklyn, New York...........     5
    prepared statement...........................................    31
Rodriguez, Leon, Director, Office of Civil Rights, U.S. 
  Department of Health and Human Services, Washington, DC........     7
    prepared statement...........................................    40
McGraw, Deven, Director, Health Privacy Project, Center for 
  Democracy and Technology, Washington, DC.......................    18
    prepared statement...........................................    51
Myrold, Kari, Privacy Officer, Hennepin County Medical Center, 
  Minneapolis, Minnesota.........................................    16
    prepared statement...........................................    68

                               QUESTIONS

Questions for Deven McGraw, Leon Rodriguez, and Kari Myrold 
  submitted by Senator Al Franken................................    73

                         QUESTIONS AND ANSWERS

Responses of Deven McGraw to Questions Submitted by Senator 
  Franken........................................................    76
Responses of Leon Rodriguez to Questions Submitted by Senator Al 
  Franken........................................................    78
Responses of Kari Myrold to Questions Submitted by Senator Al 
  Franken........................................................    82

                       SUBMISSIONS FOR THE RECORD

Letter from AARP to Senators Patrick Leahy, Al Franken, Charles 
  Grassley, and Tom Coburn.......................................    83


   YOUR HEALTH AND YOUR PRIVACY: PROTECTING HEALTH INFORMATION IN A 
                             DIGITAL WORLD

                              ----------                              


                      WEDNESDAY, NOVEMBER 9, 2011

                                       U.S. Senate,
           Subcommittee on Privacy, Technology and the Law,
                                Committee on the Judiciary,
                                                     Washington, DC
    The Subcommittee met, pursuant to notice, at 2:33 p.m., 
Room SD-226, Dirksen Senate Office Building, Hon. Al Franken, 
presiding.
    Present: Senators Whitehouse, Blumenthal, and Coburn.

 OPENING STATEMENT OF HON. AL FRANKEN, A U.S. SENATOR FROM THE 
                       STATE OF MINNESOTA

    Senator Franken. This hearing of the Senate Judiciary 
Subcommittee on Privacy, Technology and the Law will be called 
to order. This is our Subcommittee's second hearing, and this 
one will focus on the important issue of health privacy.
    Over the past two decades, an incredible thing has 
happened. You can now put your entire medical history, every 
chart, every X-ray, every test, every last doctor's note on a 
thumb drive this size, and even better, once that electronic 
health record is put on a network, any doctor authorized on 
that network can access that information instantaneously from 
across the State or across the country.
    This means you don't have to rely on your memory to tell 
your doctor when your last tetanus shot was. It means that in a 
crisis, doctors in an emergency room can find out in seconds 
exactly what medicines an accident victim has been prescribed, 
and it means that when you change doctors or move cities you 
can be sure that your doctors will know everything that they 
need to know about you and your health history.
    But the most important story I've heard to explain the need 
for electronic health records comes from the Hennepin County 
Medical Center, which I'm proud to say will be represented 
today by Kari Myrold, their privacy officer. HCMC was one of 
the first hospitals in Minnesota to develop an electronic 
health record system. HCMC is actually about five or six blocks 
from my home in Minneapolis.
    As it turns out, HCMC is also just one mile from the I-35W 
bridge in Minneapolis, which collapsed in August of 2007. One 
month before that bridge collapsed, they had just completed a 
full implementation of electronic health records throughout the 
hospital. But that day in August when the bridge collapsed, its 
policies still called for using paper records in the event of a 
major catastrophe, so when the bridge collapsed and patients 
starting coming in, staff used paper records for the first two 
patients.
    After those first two, the doctors made a decision to 
switch to electronic records. They found that it allowed them 
to call up patients' charts and track patients throughout the 
hospital and in other systems far easier than paper records. 
When disaster struck, that decision to use electronic health 
records allowed the Hennepin County Medical Center to tend to 
those victims more quickly and more effectively.
    Examples like this one quickly persuaded the medical 
community and Congress of the value of electronic health 
records, so in 2009 Congress wrote and passed bipartisan 
legislation called the HITECH Act to create financial 
incentives to get doctors and hospitals around the country to 
start using electronic health records. I am proud to say that 
the Hennepin County Medical Center was one of the first 
hospitals in the Nation to quality for HITECH Act funds.
    But we need to get all the benefits of electronic health 
records while still protecting the extraordinarily sensitive 
information that they contain. I believe all Americans have a 
fundamental right to know who has their personal information 
and to control who gets that information and with whom it is 
shared.
    I also think--welcoming the Ranking Member, Senator Coburn. 
Good afternoon, sir. Doctor.
    Senator Coburn. It's still morning back home.
    Senator Franken. It is morning in Oklahoma. Let the record 
show that.
    [Laughter.]
    Senator Franken. Good morning.
    I also think that our fundamental right to privacy includes 
the right to know that our sensitive information, wherever it 
is, is safe and secure. Unfortunately, breach after breach of 
health data has shown us that when it comes to health 
information our right to privacy is not being fully protected. 
On the evening of July 28, 2011, a laptop was stolen from the 
backseat of a consultant's car in the Seven Corners 
neighborhood in Minneapolis.
    That laptop contained the names, dates of birth, Social 
Security numbers, and medical information for approximately 
14,000 patients of Fairview Health Services, and the names and 
medical information for another 2,800 patients of the North 
Memorial Medical Center. Those hospitals had told the 
consultant to encrypt that data. The consultant didn't do that, 
so it wasn't encrypted.
    Sadly, that was the third incident in about a year where 
the health data of Minnesotans was put at risk as the result of 
a laptop theft. In fact, since the collection of breach records 
started in 2009, 91 laptops containing the health information 
of approximately 1.8 million people have been lost or stolen. 
That is just a subset of a total of 364 major breaches since 
2009 that resulted in the breach of health data of over 18 
million Americans. This has been happening since far before 
2009.
    In 2002, for example, the U.S. Veterans Administration 
Medical Center in Indianapolis sold or donated 139 computers 
without removing information on their hard drives that revealed 
the names of veterans who had been diagnosed with AIDS or 
mental illnesses. In 2001, the detailed psychological records 
of 62 children and teenagers were accidentally posted on the 
University of Montana Web site for eight days.
    The truth is that the same wonderful technology that has 
revolutionized patient health records has also created very 
real and very serious privacy challenges. Now, this is not a 
new problem and we're not the first lawmakers to call it to 
light. In the past 15 years, Congress has passed major 
bipartisan legislation to protect health information privacy.
    In 1996, Congress passed the Health Insurance Portability 
and Accountability Act, commonly known as HIPAA. HIPAA set out 
that health care providers and insurers have to protect their 
health data. It also required that they get their patients' 
permission before disclosing that information to certain third 
parties. Yet although HIPAA made strides toward better 
protecting patients' privacy, it also left some substantial 
gaps.
    So in 2009, Congress passed the bipartisan HITECH Act as 
part of the Recovery Act. The HITECH Act extended many of the 
same privacy and security rules that apply to doctors and 
hospitals to their contractors. This was called the Business 
Associate Rule. The HITECH Act also required health care 
providers and health insurers to notify people affected by a 
breach and increased the civil and criminal penalties for 
violations of all of these rules.
    When Congress passed the HITECH Act it sent a clear 
bipartisan signal that it was time to get serious about health 
information privacy. Unfortunately, all signs indicate that 
we're still not there either in terms of the protections we 
have in place or the way that we've been implementing and 
enforcing those protections. A lot of the crucial protections 
of the HITECH Act have yet to be implemented.
    For example, HHS has yet to issue final enforceable rules 
on a number of critical protections, like the Business 
Associate Rule. And while the Department of Health and Human 
Services and the Department of Justice have increased 
enforcement in the past one or two years, the overall record of 
enforcement is simply not satisfactory.
    Of the approximately 22,500 complaints that HHS has 
received since 2003 that it had authority to investigate, HHS 
has levied a formal fine or civil monetary penalty in one case, 
just one. They have reached monetary settlement agreements in 
six other cases.
    DOJ's record on this is similarly mixed. Since 2003, HHS 
has referred about 495 cases to DOJ for prosecution, but since 
then, DOJ has prosecuted just 16 criminal HIPAA cases. DOJ has 
reported to me that they have prosecuted some cases under 
statutes other than HIPAA, like identity theft and computer 
hacking statutes, but DOJ has no records or estimates of how 
many of those stem from HIPAA cases. It is hard for Congress to 
conduct oversight over DOJ without this data.
    Now, I want to be clear, there are explanations for these 
facts and figures and a lot of the responsibility lies on the 
shoulders of Congress. Congress perhaps should have instituted 
stronger reporting requirements on DOJ for enforcement, and 
HHS's low enforcement statistics are in large part the product 
of what I think is a wise Department-wide policy to work with 
companies to fix privacy problems and not just fine them.
    But I think it's safe to say that we need to do more to 
protect this data, and that's what this hearing is all about, 
figuring out if we are doing enough and doing everything that 
we should be doing to enforce existing laws, and then figuring 
out if we need new laws and regulations to fill in the gaps.
    Before I turn to my friend, the Ranking Member, I want to 
recognize that the work we're doing today continues the work 
that has been done for 15 years here in the Judiciary Committee 
under Chairman Leahy, and of course in the Health, Education, 
Labor and Pensions Committee under Chairman Harkin, and their 
predecessors on both sides of the aisle. I sincerely believe 
that health information policy and privacy is a bipartisan 
issue and a bipartisan cause, and one that will require a 
bipartisan solution.
    With that, I will turn to Senator Coburn, who is a watchdog 
of the Federal Government, and as a physician will have a very 
valuable voice in today's hearing.
    Senator Coburn, good morning.

STATEMENT OF HON. TOM COBURN, A U.S. SENATOR FROM THE STATE OF 
                            OKLAHOMA

    Senator Coburn. Thank you, Mr. Chairman. Thank you for 
holding the hearing. I regret I have other obligations so I'm 
only going to be able to be here for about 45 minutes.
    I would make some points. Think about this as a patient's 
chart in my office. The likelihood with this as a chart, of 
anybody having access to that other than the people that should 
have it, it is about zero. Now think about me putting it on a 
computer and think about the potential for other people having 
it. When HIPAA was first passed, I was in the Congress and I 
voted against it, because as a practicing physician the goal 
was worthy, but the costs associated with it--the Clinton 
administration admitted that it would cost about $17.6 billion 
over 10 years. It ended up costing about $9 billion a year back 
then.
    What we're attempting to do is a good thing. What we've 
attempted in terms of our laws is not going to be cost 
effective. All you have to do is read the Institute of Medicine 
report about the increased number of mistakes and the increased 
errors that are going to come from an electronic medical 
record.
    The other thing we've done with the Affordable Care Act is 
we've mandated that you're going to have an electronic medical 
record. So we've mandated all the records that are secure in my 
office in Muskogee, Oklahoma, are going to go onto a 
potentially insecure data base. No matter what I do, there's 
always somebody that's going to get around it and I'm going to 
spend a lot of dollars as a doctor proving that I've done what 
the government says I can do, which still may not prevent that 
data from being there. So I'm anxious to hear.
    I know we have a problem with this. What my question is, is 
whether or not we've gone about it the right way. We're 
spending a ton of money paying doctors to put records online. 
They have plenty of money to put records online themselves, but 
we're going to pay them to do it. They are some of the highest 
earners in our country, and yet we've decided we're going to 
subsidize their computer and their software program for it.
    So I look forward to the statements. I have a real concern, 
both for the privacy issue, but also the goal that we're trying 
to accomplish may not be accomplishable. There are always going 
to be people that will go around it. Just ask our Defense 
Department with China right now, ask our private companies with 
China right now, the hacking that's going on, the very 
sophisticated people that are going to try. They've got to get 
into my office to get it when it's on a piece of paper. They've 
got to get into my office. So maybe we ought to re-think some 
of what we're doing, both in terms of privacy, but also cost.
    Mr. Chairman, thank you.
    Senator Franken. Thank you, Senator Coburn. I'm sorry that 
you missed the beginning of my statement. I was talking about 
how HCMC, Hennepin County Medical Center, which is just a few 
blocks from my home in Minnesota, benefited from the use of 
electronic health records in the aftermath of the 35W bridge 
collapse. We will have this discussion. You will hopefully be 
able to stay for some of the second panel and ask your--I'll 
certainly yield to you to ask questions before you have to 
leave before anybody else.
    With that, I'd like to now introduce our first panel of 
witnesses. Loretta Lynch is the U.S. Attorney for the Eastern 
District of New York. Ms. Lynch is a member of the Health Care 
Fraud Working Group of the Attorney General's Advisory 
Committee. In fact, the Health Care Fraud Prevention and 
Enforcement Action Team in her district has brought major cases 
involving Medicare and health insurance fraud. Prior to this 
position she was a partner at a law firm in private practice. 
Ms. Lynch received her law degree and bachelor's degree at--
it's pronounced Harvard.
    Leon Rodriguez is the new Director of the Office for Civil 
Rights at the Department of Health and Human Services. As 
Director of the office, Mr. Rodriguez oversees enforcement of 
HIPAA and the HITECH Act. Prior to his post at HHS, he was 
Chief of Staff and Deputy Assistant Attorney General for the 
Department of Justice Civil Rights Division. Mr. Rodriguez 
received his law degree at Boston College and his undergraduate 
degree at Brown University.
    Thank you both for being here today. Why don't we start 
with Ms. Lynch.

   STATEMENT OF LORETTA LYNCH, U.S. ATTORNEY FOR THE EASTERN 
 DISTRICT OF NEW YORK, U.S. DEPARTMENT OF JUSTICE, BROOKLYN, NY

    Ms. Lynch. Thank you, and good afternoon, Mr. Chairman, 
Ranking Member Coburn, and Members of the Subcommittee. Thank 
you for the opportunity to join our partners at the Department 
of Health and Human Services in discussing the enforcement of 
Federal laws protecting patient medical records.
    As U.S. Attorney for the Eastern District of New York, and 
as you've heard, a member of the Health Care Fraud Working 
Group of the Attorney General's Advisory Committee, I can tell 
you that patient privacy is of utmost importance to the 
Department of Justice.
    Strong privacy protections help ensure that patients are 
candid with their health care providers about their medical 
needs. For patients, the public disclosure of personal medical 
details can lead to profound humiliation. Breaches of medical 
privacy can also result in financial losses, in the millions of 
dollars, to government and private health care plans.
    Protecting patient health records is especially critical as 
our country tries to reduce health care costs by promoting the 
use of electronic medical records. Through the Health Insurance 
Portability and Accountability Act, or HIPAA, as recently 
strengthened by the HITECH amendments, Congress has provided 
three distinct tools to enforce HIPAA's protections: first, HHS 
is empowered to impose civil monetary penalties; second, State 
attorneys general can initiate civil proceedings for injunctive 
relief and financial penalties; and third, the Department of 
Justice can investigate and prosecute violations of HIPAA's 
criminal provisions.
    In order to carry out the multi-tier enforcement system 
developed by Congress it is essential that the agencies 
enforcing HIPAA act together in a coordinated manner. 
Currently, the FBI routinely coordinates potentially criminal 
HIPAA violations with the Office for Civil Rights for HHS. HHS 
has an established process for receiving complaints of 
potential HIPAA violations from the public and also receives 
information about potential violations through self-disclosure 
from health care providers.
    HHS forwards to the FBI all HIPAA complaints or disclosures 
which may involve criminal violations of the statute. If the 
local U.S. Attorney's Office determines that the particular 
matter is not appropriate for criminal prosecution, HHS OCR can 
then determine whether to assess a civil monetary penalty.
    The Department also prosecutes a number of cases which may 
involve breaches of medical privacy but which come to the FBI 
or the Department through other referral methods such as 
complaints of identity theft or Medicare fraud. The smaller 
subset of medical record privacy breaches that warrant DOJ 
criminal enforcement generally tend to fall into one of three 
fact patterns.
    First, we've prosecuted criminally when medical records and 
identities were stolen to commit massive health care frauds. 
These cases caused grave societal harm, both because the 
patients' historical medical and insurance records are 
corrupted, and also because there are often massive losses, 
profoundly draining precious health care payment resources.
    Recently, the Department charged 73 defendants, alleged 
members of an Armenian-American organized crime enterprise, 
involving more than $163 million in fraudulent Medicare billing 
in 25 States. The scheme was allegedly accomplished through the 
theft of the identities of the doctors and thousands of 
Medicare beneficiaries. That indictment included RICO charges 
predicated upon identity theft and credit card violations.
    Second, we prosecute when medical records are stolen for 
the purpose of embarrassing particular patients, for example, 
to sell the records of a celebrity patient to a media outlet or 
to extort ransom payments to avert the disclosure of customer 
health records. An administrative assistant at the UCLA Medical 
Center pleaded guilty to illegally obtaining celebrity health 
records after receiving thousands of dollars from a media 
outlet.
    In September 2009, an Indianapolis defendant was sentenced 
to three years in prison for stealing health insurance records 
of over 900,000 individuals. The defendant had threatened to 
publish this personal information and confidential medical data 
on the Internet unless each victim insurance company paid him 
$1,000 per week for four years.
    Finally, we bring criminal cases where the ultimate motive 
is to steal patients' identities to commit financial fraud. 
When the conduct rises to the level meriting a criminal 
prosecution, we are fortunate to have a variety of criminal 
statutes to address the various fact patterns that we see in 
the medical records privacy cases.
    In addition to the HIPAA criminal provision, the 
Department's prosecutors can utilize health care fraud 
statutes, unlawful computer access statutes, identity theft 
statutes, and conspiracy statutes, and we are extremely 
appreciative of Congress' support in providing each of these 
tools.
    Mr. Chairman, thank you for inviting me here to testify 
today, and I am pleased to answer any questions that you may 
have.
    Senator Franken. Thank you very much, Ms. Lynch. Your 
complete written testimony will be made part of the record.
    [The prepared statement of Ms. Lynch appears as a 
submission for the record.]
    Senator Franken. Mr. Rodriguez, you have about five minutes 
or so.

STATEMENT OF LEON RODRIGUEZ, DIRECTOR, OFFICE FOR CIVIL RIGHTS, 
  U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES, WASHINGTON, DC

    Mr. Rodriguez. Good afternoon, Chairman Franken, good 
morning, Ranking Member Coburn, and good afternoon Senators 
Whitehouse and Blumenthal. Thank you very much for having me 
before the Committee today. It is an honor to be here and to 
talk about the important work that the Office for Civil Rights 
does in enforcing the HIPAA statute and the HITECH statute.
    I'd like to focus in my oral remarks on the new authorities 
that we have under the HITECH statute and the direction that I 
expect my office will be taking in the years to come.
    As the Chairman has observed, the HITECH statute created 
significant new requirements and authorities in the privacy and 
security realm. The first of these is the breach notification 
rule which has been in effect as an interim final rule since 
2009. We have received a number of notifications during that 
time of significant breaches of health information.
    One of the things that is notable about many of those 
breaches--in fact how low-tech they are--in many cases the 
breaches involve theft or loss of actual hard items, such as 
laptops or Blackberries, in addition to the expected hacking, 
improper access to health information. So our experience under 
the breach notification rule has been an important pathway for 
us to identify and then develop means to close some of the real 
vulnerabilities that exist in the area of health information.
    Another notable element of our experience with the breach 
notification rule, and it's also borne out in our larger 
enforcement program, is the degree to which business associates 
are the source from which protected health records are 
compromised. So it is an important part of the HITECH statute 
that authorized us to, and we are currently working diligently 
on regulations that will help us initiate our enforcement in 
this area, given that many of these records in fact come from 
business associates.
    Now the HIPAA requirements will be extended directly to 
business associates, whereas before only covered entities were 
subject to those requirements, who were then required to extend 
those requirements via contract to business associates.
    Finally, and most importantly, the HITECH statute has given 
us much increased penalties for violations of the privacy and 
security rules. So whereas before the maximum penalties were 
capped at $25,000 per year, for identical violation, we are now 
in an environment where those penalties are capped at $1.5 
million per year, for identical violation, giving us a very 
strong enforcement tool with which to police these issues.
    In fact, you've seen the very beginnings of that policing. 
You've seen our case against Massachusetts General Hospital, a 
teaching institution in Boston, where loss of protected health 
information exposed a number of other vulnerabilities and 
deficiencies in the manner in which the hospital maintained its 
protected health information.
    In the case of our enforcement, which is covered in detail 
in our prepared remarks, against CVS and Rite Aid, you had a 
situation where hard-copy records were placed in the dumpster. 
We talk about the vulnerabilities that are out there, and it 
could not be more prosaic than that. Hard-copy records were 
placed in the dumpster, potentially exposed to having people 
see incredibly detailed, incredibly personal health information 
of their neighbors.
    In these cases we've seen fines range from a million to 
millions of dollars, so pretty significant fines. I am the 
first Director of the Office for Civil Rights to come to the 
office with experience, both extensive experience in law 
enforcement and as a health provider lawyer. It is my 
commitment to really ramp up the enforcement of the office in 
the months and years to come and to have us in a place where 
these examples that I've talked about are just the beginnings 
of our enforcement in this area.
    Additionally, under HITECH, we are in the middle right now 
of an audit pilot where we will be auditing for compliance with 
the privacy and security rules as many as 150 entities. This 
will show us where a number of vulnerabilities may exist and 
also provide us necessary information as we shape our permanent 
audit program. Finally, in this area, we have been involved in 
extensive collaboration with State attorneys general in the 
area of privacy enforcement.
    It's a pleasure to be here today and I look forward to 
answering your many questions.
    Senator Franken. Thank you, Mr. Rodriguez. Again, your 
remarks will be in the record for whatever I told Ms. Lynch.
    [Laughter.]
    Mr. Rodriguez. OK.
    [The prepared statement of Mr. Rodriguez appears as a 
submission for the record.]
    Senator Franken. I would note, as you said, that there has 
been a ramp-up in enforcement, but I'm going to probably be 
focusing some of my questions here on some of the--and asking 
for explanations of some lack of enforcement.
    I want to definitely be able to get through this panel. I 
hope that the Ranking Member can stay for some of the testimony 
of the next panel just to hear, because I think that while 
today we're talking about privacy and some of the problems that 
we've had in this, I think that both Ms. McGraw and Ms. Myrold 
will be speaking--especially Ms. Myrold who works at HCMC--to 
some of the benefits that we've had from electronic health 
records. For example, that file that the Ranking Member held up 
that would be in his office on one of his patients who is 
wonderfully taken care of by him, if it was the middle of the 
night in Oklahoma--I'm sorry. What town in Oklahoma are you 
from?
    Senator Coburn. It's on a need-to-know basis.
    [Laughter.]
    Senator Franken. OK.
    Senator Coburn. I'm an Okie from Muskogee.
    Senator Franken. OK. OK. Oh, you're from Muskogee?
    Senator Coburn. Yes.
    Senator Franken. OK. Well, I didn't need to know that.
    [Laughter.]
    Senator Franken. But now I do. OK.
    Well, let's say you are asleep in your home in Muskogee and 
somebody--one of your patients was in Vienna. So there.
    [Laughter.]
    Senator Franken. Now, the point is if that their electronic 
health records were available, it might be helpful. That's my 
only point.
    So let's go with the questions. Mr. Rodriguez, since 2003 
when the privacy and security rules became enforceable, the 
Department of Health and Human Services has received over 
64,000 complaints from consumers for alleged violations of the 
rules; about 22,500 of those were against entities that HHS had 
the authority to investigate.
    Of those 22,500, HHS has secured one civil monetary penalty 
and only six other monetary settlements. I know a large part of 
this is your Department's policy of trying to get businesses to 
voluntarily comply with health regulations rather than fining 
them, and I generally think that's a good thing. I also know 
that again, in the past year, HHS has increased enforcement by 
a lot. But these figures seem quite low. How would you explain 
them?
    Mr. Rodriguez. Sure. I think, Senator, first of all, I 
think you've identified what the--correctly identified what has 
been the Department's policy until HITECH was passed, which was 
to give covered entities under investigation the opportunity to 
implement corrective action, and that would serve as a basis 
for resolution of those cases.
    HITECH has changed the environment significantly in two 
ways. The first is there no longer is a hard requirement that a 
covered entity be given that opportunity. We will still do it 
in many and most cases, but there is not necessarily a hard 
requirement that a covered entity be given that opportunity to 
implement corrective action before we move to penalties.
    The other thing that HITECH has done is that it has 
dramatically increased the penalties, particularly for those 
entities that have engaged in wilful neglect of their 
obligations under the privacy and security rules. So, I think 
that's the reason why that has occurred historically. As I 
said, I think you have witnessed what are essentially the 
beginnings of the change in that environment.
    Senator Franken. I think one of the problems is that there 
are a lot of important regulations that HHS has yet to finalize 
in order to implement the protections of the HITECH Act. For 
example, HHS has yet to issue final enforceable regulations for 
the Business Associate Rule, and we were talking about business 
associates here, which requires contractors and consultants 
that receive health information to protect it, much in the same 
way that hospitals and insurers already have to.
    This is a really big problem because the whole purpose of 
the HITECH Act was to plug the holes left by HIPAA. But those 
holes aren't plugged because the regulations have been delayed. 
When do you anticipate issuing the Business Associate Rule and 
other remaining rules in final form? It's been two and a half 
years since the act was passed. Go ahead.
    Mr. Rodriguez. I certainly agree, Senator Franken, that the 
proposed Business Associate Rule really does plug what is a 
considerable hole in the privacy and security enforcement 
architecture. What I can tell you, Senator, is that we've 
received extensive comments on both the business associate 
proposed rule and a number of other provisions under HITECH, 
that we have worked diligently to analyze those comments and to 
prepare regulatory text based on our analysis, and we are 
working as diligently as we can toward a final rule. I can't 
give you a timeframe at this time.
    Senator Franken. OK. Well, hurry up.
    Ms. Lynch, HHS has referred to DOJ 495 cases for potential 
criminal prosecution since 2003, but the Department has 
informed my office that DOJ has prosecuted just 16 individuals 
for criminal HIPAA violations. My understanding based on your 
testimony is that DOJ prosecutes a large number of medical 
privacy cases under other criminal statutes for things like 
identity theft or wire fraud. Can you tell me how many of the 
495 cases referred by HHS DOJ has prosecuted under a statute 
other than HIPAA? Is that something you know?
    Ms. Lynch. Well, actually--and thank you for the question, 
Senator. I think I would not be able to give you a specific 
numerical answer on that, in large part because of the 
different way in which cases are tracked from an HHS referral 
to the way a case is opened up within the U.S. Attorney's 
Office.
    In particular, once we charge a case, if we were to use 
another statute--for example, identity theft or a computer 
intrusion statute--if that were our lead charge it would be 
recorded in that way. We wouldn't necessarily see the HHS 
connection. So I do think that unfortunately the numbers that 
you have are not reflective of the entire picture of what the 
Department is doing in relating to medical privacy cases in 
general, because those cases actually are ongoing.
    We do still receive referrals again through the process, 
through the pipeline from HHS, through the FBI, after their 
review, sending a subset over to us. I would say that in terms 
of those overall cases we're charging around 10 a year, some 
up, some down. We're obtaining convictions of around 10 a year, 
again, some up, some down depending upon the year, and these 
are often of multiple defendants for cases involving not just 
HIPAA, but these other statutes as well.
    Senator Franken. OK. Thank you. I just want to note that 
that was a very straightforward answer, and thank you for it. 
Based on the first part of the answer it seems because of the 
way you track this, it's impossible for you to really give me a 
definitive answer. Perhaps we could work together to try to 
find a way to change the tracking so that we could do our due 
diligence in terms of oversight in seeing how this is working.
    Ms. Lynch. Absolutely. I think the Department is eager to 
work with staff of this Committee, to work on ways to improve 
that and to provide you the information that you need because 
there are a lot of cases out there.
    Senator Franken. Thank you very much.
    The Ranking Member.
    Senator Coburn. Well, thank you both. Very enlightening 
testimony.
    Let me go through the three main areas for you all: fraud, 
extortion, and patient identity theft. Correct? Patient 
identity theft. That was your testimony. That's the main three 
areas. Which is the largest area?
    Ms. Lynch. At this point, again, without having the 
specific numbers in front of me, but knowing of the extensive 
efforts we're doing particularly in Medicare fraud, I would 
probably say the fraud area is the largest. But again, it's 
going to encompass a lot of different types of activities.
    Senator Coburn. And in cases involving HIPAA medical 
records, in your office in New York, how many cases have you 
all prosecuted?
    Ms. Lynch. I'm aware of one--one or two that we currently 
have going on. We also have a civil matter that's been settled. 
Again, we focus a lot on the Medicare fraud of it--aspects of 
it--and we may not in fact include the HIPAA statute all the 
time because the nature of the case, the facts may lend 
themselves to a different type of charge.
    Senator Coburn. You're going to prosecute where you can get 
the greatest amount of success and relief, correct?
    Ms. Lynch. Correct. Particularly relief. Correct.
    Senator Coburn. We know that the HITECH and HIPAA 
regulations in terms of using those laws to prosecute Medicare 
fraud and identity theft. What do we have in terms of the 
utilization to prosecute the misuse of a Medicare patient's 
Social Security number or a Medicare provider's billing number?
    Ms. Lynch. Well, I think----
    Senator Coburn. Because that's where the fraud is.
    Ms. Lynch. Yes. Absolutely. Well, the health care fraud 
statute has been a very successful tool for us, working in 
conjunction with HHS, in prosecuting large numbers of 
defendants for that. The cases in my testimony that were 
recently brought down, but also under the A teams which are 
located in several offices, mine included, we've done a number 
of those cases where patient data is used, sometimes illegally 
obtained, sometimes, sadly, obtained from patients who are 
involved in the fraud. But at this point in time, the health 
care fraud statute would be one, and then after that, identity 
theft.
    Senator Coburn. Would you think that increasing the 
penalties in terms of utilizing patients' Medicare and Social 
Security number or provider number would be beneficial in your 
all's effective carrying out of the law?
    Ms. Lynch. I think that right now--thank you for that. I 
think that right now we have a very effective framework of 
that. We would certainly welcome the opportunity to work with 
you on adjustments that could be made. If you're thinking in 
terms of the HIPAA penalties, there's a three-tier system, as 
I'm sure you're aware, of penalties.
    Senator Coburn. I'm thinking of raising the penalties for 
intentionally selling Medicare provider numbers or Medicare 
Social Security numbers, patient numbers or provider numbers, 
because that's where we see a lot of this in terms of the 
multitude of layers of fraud in terms of false billing to 
Medicare.
    Ms. Lynch. Right.
    Senator Coburn. Mr. Rodriguez, what do you all do right now 
to educate people that are under your purview to bring them up 
to speed with your new regulations and compliance? Since you're 
a little stronger now in terms of trying to get the 
enforcement, what are you doing to educate?
    Mr. Rodriguez. There are a series of activities in which we 
are engaged, and I very much appreciate the question. To begin 
with, our Web site contains extensive information, both on the 
original HIPAA requirements and then the new HITECH 
requirements, and they're readily accessible to any health 
provider who wishes to educate themselves on those 
requirements.
    In addition, we have an extensive media campaign where we 
talk about the requirements, particularly in publications that 
target the health care industry. We also make our staff 
available extensively to speak to health industry groups in 
order to convey the requirements under the statute. This is an 
area to which I am personally very committed. It is my 
intention to continue and intensify where necessary these 
education efforts.
    Senator Coburn. OK.
    Thank you, Mr. Chairman.
    Senator Franken. Thank you.
    Senator Whitehouse.
    Senator Whitehouse. Thanks, Chairman Franken. I thank the 
witnesses for attending.
    The flip side of the privacy issue with respect to your 
responsibilities is the opportunity that electronic records 
provide for investigative purposes. Senator Coburn and I were 
allies in a long battle to get the Drug Enforcement 
Administration to get off its insistence on paper records.
    And I can't speak for Senator Coburn, but what frustrated 
me was that I knew that there was some old DEA agent someplace 
who could remember making a case and sitting there with the 
paper records and thinking that that was what had to be 
protected, when in fact you can do an enormous amount of good, 
particularly with prescription abuse, which is exploding in 
this country right now, if you could get information as to what 
the peculiarities are with the dispensation of, particularly, 
controlled pharmaceuticals.
    So if a doctor goes from zero bottles of Vicodin a week to 
500, or if the same Medicare or billing number ends up getting 
controlled substances at five different doctors, that gives a 
wonderful opening to law enforcement to be able to focus its 
resources on areas that are going to be productive.
    I'm wondering what your experience has been with the 
utility of electronic prescription records, Medicare billing 
records, and other data sources at targeting law enforcement at 
the real miscreants in this area, and how vulnerable you think 
the process that de-individualizes that data so that people can 
look through it without necessarily knowing who the individuals 
are associated with that data, how effective that de-
individualization is, and what its weaknesses are. I'll ask 
both of you the same question.
    Ms. Lynch. Sure.
    Senator Whitehouse. U.S. Attorney Lynch first.
    Ms. Lynch. Thank you, sir. I'm sorry, I didn't mean to jump 
the gun there.
    Senator Whitehouse. No, go ahead.
    Ms. Lynch. Thank you. I appreciate the opportunity to talk 
about that, because in fact what you have just described is an 
important part of our current health care fraud prosecution 
strategy. Through the A team, as I mentioned, we do a lot of 
work both with the FBI and with HHS Office of Inspector 
General, particularly in New York, at looking at fraudulent 
billing cases.
    As I mentioned to the Ranking Member, some of these involve 
the misuse of patient data and some of them involve simply 
false billing for non-existent services. In recent years, the 
improvement, I should say, in the real-time tracking of 
Medicare billing through upgrades to the HHS system has been 
invaluable to us in letting us see exactly the types of shifts 
that you are referring to.
    In the metropolitan New York City area, for example, we are 
able to look now and see data that is less than one month old 
as opposed to having to wait for, as you mentioned, the paper 
records or even a slower computer record that could be months 
old. By that time, a clinic that is giving out a lot of false 
billings could have folded up and moved on by the time we found 
our way to it. Using the exact kind of data that you mentioned, 
much more real-time analysis enables us to use other 
investigative tools.
    In a case in my district last summer, we used extensively--
we used undercovers. After getting some informant information, 
we used undercovers to go into a clinic that was billing in 
Brooklyn, and because of what we saw in there, we were able to 
marry that with the data showing a spike in billings that we 
felt were fraudulent and we were able to obtain court-
authorized electronic surveillance of that particular clinic 
and arrest not only doctors but also some patients who, sadly, 
were participating in the scheme. They were elderly patients 
being paid to turn over their numbers there. So that's a little 
bit different from the theft of the information. There, people 
are basically providing it.
    Senator Whitehouse. Let me jump in for the last couple of 
seconds to ask Mr. Rodriguez to respond also.
    Mr. Rodriguez. Sure. First of all, as a former health care 
fraud prosecutor, and including one who has worked on many drug 
diversion cases, I full well know the seriousness of the 
problem that you've identified, Senator. We see in many of the 
health care privacy cases very often there is also, as U.S. 
Attorney Lynch has identified, sometimes a component of either 
a health care fraud or drug diversion that actually initiates 
those cases rather than them coming in as privacy complaints. 
In fact, they start on the health care fraud or drug diversion 
side of the house. So it's a very real problem that you've 
identified. We collaborate with prosecutors in cases where 
those sorts of issues have been identified.
    Senator Whitehouse. My time has expired. Thank you, Mr. 
Chairman.
    Senator Franken. Thank you for your questions, Senator.
    Senator Blumenthal.
    Senator Blumenthal. Thank you, Mr. Chairman. Thank you both 
for being here.
    I want to ask you about the gaps in HIPAA health data 
protection. I speak as an author of one of the bills that had 
been reported out of this Committee, S. 1535, the Personal Data 
Protection and Breach Accountability Act. There are three 
bills, and that bill is one of them. Of all the data breach 
bills currently being considered by the Senate, my proposal is 
the only one that explicitly protects health information. All 
three bills allow ``covered entities'' regulated by HIPAA to 
continue to be governed by that regime, but only the bill that 
I have authored, S. 1535, explicitly extends its protections to 
health data held by companies that are not currently covered by 
HIPAA.
    So my question to both of you is, what types of entities 
hold health data that are not covered by HIPAA, and do you 
think it's important to ensure that that health data held by 
third-party companies not covered under the current law also be 
protected, that they be required, in fact, as the bill would 
do, to take steps to protect it against theft or other kinds of 
breaches and the other kinds of protections--for example, 
remedies, insurance, notification, and so forth--that the laws 
would provide?
    Mr. Rodriguez.
    Mr. Rodriguez. Yes. Thank you, Senator Blumenthal, for that 
question. As you know, the HIPAA statute really covers three 
types of what we call covered entities: health care providers, 
health plans, and health care clearinghouses. Health providers 
are defined as those health providers that transmit certain 
standard health information transactions electronically. 
Excluded from that definition can be providers who don't 
transmit health information transactions electronically, 
typically, for example, in a private-pay sort of enforcement. 
So there clearly are health care providers out there who are 
not currently subject to the HIPAA statute.
    Having said that, it is our sense that the HIPAA statute 
does cover the vast majority of health care business that 
occurs in the United States.
    Senator Blumenthal. What about the other two categories 
besides the providers?
    Mr. Rodriguez. Again, if you fall outside of those three 
definitions, which include health plans, exactly what the name 
suggests, or health insurance plans, and health clearinghouses, 
which are entities that take non-standard health information 
and convert it to standard information, typically for billing 
but also potentially for other purposes. There are clearly 
other sorts of entities outside of those definitions that have 
health information and are not currently covered by the HIPAA 
statute.
    Senator Blumenthal. Would you recommend to the Senate and 
the Congress that it extend those protections to entities not 
covered currently by the HIPAA statute?
    Mr. Rodriguez. We certainly would be very willing to work 
with the Senator and his staff, providing technical assistance 
on that bill. I'm not permitted to specifically endorse a 
particular----
    Senator Blumenthal. Well, is there a reason that you would 
recommend against it? In other words, why shouldn't those same 
protections be extended to those other entities that have 
possession of this same kind of sensitive and confidential 
information?
    Mr. Rodriguez. No. And I would suggest the way--we would be 
most pleased to work with the Senator and his staff on that 
bill, on providing technical assistance in your work on that 
bill.
    Senator Blumenthal. Thank you.
    Did you have a comment, U.S. Attorney Lynch?
    Ms. Lynch. No. Just to echo what Mr. Rodriguez said, I 
think the Department would also look forward to working with 
the Senator on looking at those issues as well.
    Senator Blumenthal. Thank you.
    In the short remaining time I have left, I would like to 
ask whether you are satisfied that there have been sufficient 
criminal prosecutions under the HIPAA statute. I know that some 
may have been--some cases may have been recommended for 
prosecution, but not actually done.
    Mr. Rodriguez. Actually, the health privacy environment 
reminds me very much of the health care fraud environment in 
which I worked for a significant portion of my professional 
life. The trend that we saw in the health care fraud 
environment is a large number of criminal cases and a large 
number of civil cases where, for example, the False Claims Act 
and other authorities provided really significant monetary 
penalties to police health care fraud, and very often in many 
cases those monetary penalties were really the right approach, 
the right hammer, if you will, to policing health care fraud 
issues. I think the health privacy environment is very similar.
    While there is a certain layer of cases that do merit 
criminal sanctions, in my view, where the real frontier is, is 
in our leveraging these new, stiff penalties that we have under 
the HITECH statute and expanding our utilization of those 
penalties.
    Senator Blumenthal. You're talking about civil penalties?
    Mr. Rodriguez. Yes, sir.
    Senator Blumenthal. And why not criminal penalties?
    Mr. Rodriguez. Because our experience is that many of the 
cases that we see, in terms of the complaints that we receive, 
point to not cases of intentional disclosure of protected 
information for the sorts of criminal reasons that U.S. 
Attorney Lynch identified, but rather wilful neglect to follow 
the obligation by a covered entity to follow the obligations 
that the law imposes.
    Senator Blumenthal. My time has expired but I want to thank 
you both again for your being here and for your very helpful 
testimony. Thank you.
    Senator Franken. All right. Yes. Thank you, Senator.
    The Ranking Member has to leave, but we will extend to him 
the opportunity to ask questions for the record. I also want to 
thank U.S. Attorney Lynch and Mr. Rodriguez for your testimony, 
and you are now excused. You can go.
    We will proceed to the second panel of this hearing. I 
would like to introduce our second panel. We have Kari Myrold, 
who is the privacy officer of Hennepin County Medical Center in 
Minneapolis, again, about five or six blocks from my home 
there. It's a great, great hospital.
    As privacy officer, Ms. Myrold oversees the implementation 
and use of electronic health records and ensures HCMC's 
compliance with State and Federal privacy laws and ensures that 
patient records are private and secure. Ms. Myrold received her 
law degree from Hamline University in St. Paul and her 
undergraduate degree from St. Cloud State University in St. 
Cloud, Minnesota. Welcome.
    Deven McGraw is the director of the Health Privacy Project 
at the Center for Democracy and Technology. Ms. McGraw was 
recently appointed by Secretary Sebelius to serve on the Health 
Information Technology Policy Committee. Prior to this, she was 
the chief operating officer of the National Partnership for 
Women and Families. Ms. McGraw received her undergraduate 
degree at the University of Maryland, her Master of Public 
Health from Johns Hopkins, and her law degree in LLM at 
Georgetown University Law Center.
    Thank you, Ms. McGraw, thank you, Ms. Myrold, for joining 
us. Your complete written testimony will be made a part of the 
record, and you each have five minutes or so for any opening 
remarks you would like to make.
    Ms. Myrold, please go ahead.

  STATEMENT OF KARI MYROLD, PRIVACY OFFICER, HENNEPIN COUNTY 
                MEDICAL CENTER, MINNEAPOLIS, MN

    Ms. Myrold. Mr. Chairman and Senators Whitehouse and 
Blumenthal, thank you for the opportunity to appear on behalf 
of Hennepin County Medical Center as a provider in this hearing 
with regard to the electronic health record and privacy rules.
    Although Hennepin County is a very fascinating facility, I 
could tell you lots of things about it, I am here really to 
speak to one of those things in particular. However, to put it 
in perspective, I would like to let you know that Hennepin 
County Medical Center is a 477-bed hospital with six primary 
clinics and a number of specialty clinics. It also is a 
teaching facility and is noted as Minnesota's premier Level One 
trauma center, both for adults and pediatrics.
    In 2002, Hennepin County Medical Center embarked upon a 
journey to implement an integrated electronic health record. We 
had siloed applications. Say you had an application coming out 
of the neonatal unit, one out of radiology, and maybe one out 
of the emergency department. Hennepin County Medical Center 
decided to integrate both the patients' records throughout the 
facility as well as include the revenue cycle management 
system.
    Hennepin County Medical Center's goals in doing this were 
to enhance the patient experience, improve the quality of care 
and patient safety throughout the facility, support research 
and education, and sustain the organization. Although 
improvement is ongoing in the electronic health record, there 
are always updates to be made.
    Hennepin County has actually achieved these goals, 
including adding certain modules such as Care Everywhere, which 
is our software provider's application for the health 
information exchange within our metro area, and that actually 
is done with patient consent that we provide that opportunity 
for patients and other providers to be able to treat patients 
throughout different facilities.
    We also have added a mychart module, which is really the e-
patient chart access where a patient can logon, schedule their 
own appointments, check their lab results, and view their own 
record. Then, most recently, we added a Carelink module, which 
is for our community users, so instead of faxing or delivering 
an inch of paper to, say, a long-term care facility, what we 
can do now is we train and provide access for one or two 
individuals from that facility, that's one example, for a 
discharge from one of our units. So that long-term care 
facility access person can then determine whether or not that 
would be an appropriate placement upon discharge for that 
person.
    Then through performance and improvement of our electronic 
health record, I would just like to note that Hennepin County 
Medical Center has actually achieved Stage Six on a 0 to 7 
scale through the Health Information Management System Society 
adoption model, and really that is--we're working toward Stage 
Seven in 2012, and that's the top. Only one percent of 
hospitals nationwide actually achieve Stage Seven.
    Also, in fulfilling one of our goals that I mentioned 
earlier, in being able to capture and measure data, Hennepin 
County Medical Center was an early attester to meaningful use. 
We have actually received our first payment and that was 
actually over $1 million. That was in August of 2011. Only 10 
percent of hospitals at that point in time had achieved that 
status.
    Hennepin County Medical Center is a public subsidiary 
hospital; therefore we were subject, long before HIPAA, to the 
Minnesota Government Data Practices Act. Minnesota was, 
therefore, a little bit advanced with regard to privacy rules. 
We also are subject to accreditation standards through the 
Joint Commission; they have an information chapter, and through 
that we have to make sure that we provide privacy and security 
for our patient data. And then along came HIPAA, and then, of 
course, HITECH.
    Chairman Franken has already indicated the critical example 
we had of testing our first test case with the electronic 
health record in the tragic collapse of the 35W bridge. Along 
with using the patient health record, we also tested that for 
auditing of staff access with regard to privacy violations.
    There are a number of areas where I can see improvement 
necessary throughout the rules, and some of those might be that 
model policies and procedures could have been included with 
regard to the rules. There are a number of organizations who 
apply policies inconsistently, and when you do have a question 
or investigation with the OCR, one of the first things they're 
going to be asking you for is your policies.
    They have been very cooperative in assisting you in 
modifying any that you might need, but there's a lot of time 
and attention given to these in advance and I think models 
would have helped in that regard. Business associates, data 
breach notification, expanding the definition of a covered 
entity, encryption, and then accounting of disclosures are 
other areas where I certainly can see that we could make 
improvements.
    Thank you.
    Senator Franken. Thank you very much, Ms. Myrold.
    [The prepared statement of Ms. Myrold appears as a 
submission for the record.]
    Senator Franken. Ms. McGraw.

 STATEMENT OF DEVEN McGRAW, DIRECTOR, HEALTH PRIVACY PROJECT, 
      CENTER FOR DEMOCRACY AND TECHNOLOGY, WASHINGTON, DC

    Ms. McGraw. Thank you very much for the opportunity to 
testify. I want to start by saying that people like Ms. Myrold 
and her colleagues at the Hennepin County Medical Center and 
others across the country who are adopting electronic medical 
records and proving that they can actually be a big difference 
in how health care is delivered in our country, both in terms 
of cost and quality, they're really the reason why I do this 
work.
    The public, when you survey them, is very supportive of the 
commitment we're making to health information technology. We 
are already starting to hear about some promising results, and 
I think we're going to hear more in the very near future.
    At the same time, we know that the public consistently 
expresses a concern about the privacy and confidentiality of 
their digital health records, and for good reason. The amount 
of breaches that we see are one reason why people are 
concerned, but for about a quarter of the population, based on 
survey data, these privacy concerns are going to cause us to 
withhold information from our health care providers because 
we're not confident that that information will be kept 
confidential, or we might not be truthful about our 
circumstances, or we might decide not to seek care at all. 
That's a problem. Even though it's only for about a quarter of 
the population we don't want to leave them out of the 
revolution that we're trying to seed.
    Then for the rest of us who may not exercise concerns to 
that degree, it's still going to jeopardize our trust in the 
electronic health record system that we're trying to create and 
our willingness to support it, quite frankly, with taxpayer 
dollars.
    So clearly Congress recognized that this was an important 
issue to address and in the stimulus legislation there are a 
number of really important changes to the HIPAA privacy and 
security rules, and we supported each and every one of them. 
But making actual progress in terms of implementation, as has 
been pointed out, has been agonizingly slow and we wish that 
were not the case.
    So I just want to use the few minutes I have to try to cram 
in some of what's in my written remarks, but I'm glad to hear 
the rest of it will get in.
    As has already been emphasized, we need the regs. We really 
need the regs. Give me the regs. You know, Congress--you wanted 
these provisions to go into effect a year post-enactment, and 
here we are almost three years later and we don't have most of 
them.
    We know that the administration can act promptly when it's 
a high priority. We saw the regulations for the Medicare shared 
savings program finalized within five months of being proposed. 
I guess I just don't understand why this takes so long. I 
recognize that it's not just in the hands of the Department of 
Health and Human Services, so I guess I'll use my bully pulpit 
to call on the administration to get the review done and get 
them out.
    The improvements in HITECH on enforcement were badly 
needed, but we don't yet have a consistent, reliable 
enforcement environment. I'm very glad to hear the testimony of 
both of the individuals on panel one with respect to a strong 
commitment to enforcement. We think it's incredibly important.
    But we also are very much on board with more transparency 
with respect to how HIPAA is enforced, both on the DOJ and the 
HHS side. Summary statistics don't really tell you very much 
about what's really going on in the field in terms of 
compliance with HIPAA, and particularly where the Department is 
likely to continue to try to seek voluntary corrective action 
on the part of institutions.
    And I agree, this is not a bad idea per se, but I 
personally would like to know more about the circumstances 
under which voluntary correction is sought. Are there any 
patterns to it? Is there a need for us to provide more guidance 
to the field or to enforce in more areas?
    HIPAA does not protect all health data. Senator Blumenthal, 
you pointed this out in your questions. It only covers certain 
types of health information held by certain entities in the 
health care system. It covers some things, but not other 
things.
    Health data is rapidly migrating out of the traditional 
health care system, mostly because it's increasingly being 
shared by consumers online. Eighty percent of people who are 
online do searches for health information and there are 
presumptions made about them based on those searches that often 
result in them being targeted for ads. But that was the subject 
of another hearing.
    But personal health records offered by internet companies, 
social networking sites like Facebook and those that are 
dedicated to specific diseases, none of that data is going to 
be covered by HIPAA. Congress took care of breach notification 
for personal health records, but beyond that there are no other 
protections in law beyond what these companies might commit to 
doing in their privacy policies, if they make any such 
commitment at all.
    If they breach a commitment, then the Federal Trade 
Commission can hold them responsible. If they don't make a 
commitment or they make a vague commitment, we don't really 
have the sort of comprehensive set of rules that we do have on 
HIPAA-covered entities and we need it.
    I guess I'll squeeze in, last, regulations on business 
associates, downstream contractors. They are important source 
of health care data. As was pointed out by Mr. Rodriguez, the 
subcontractors have been a big part of the breach problem. He 
says we need the HIPAA regs to provide the enforcement on 
business associates right away. But it also needs to be very 
clear that a contractor gets data for a specific purpose and 
should be limited in how they use that data to accomplishing 
that purpose, and we're not quite there yet.
    So I'll stop and be happy to answer your questions. Thank 
you again for the opportunity.
    Senator Franken. Thank you, Ms. McGraw.
    [The prepared statement of Ms. McGraw appears as a 
submission for the record.]
    Senator Franken. Thank you, Ms. Myrold, for your testimony. 
I'm sure that a lot of what you have in your written testimony 
that you didn't get to, you'll be able to get to via these 
questions.
    Ms. Myrold, the Hennepin County Medical Center has made 
significant investments in electronic health records. You made 
that clear. At the same time, it's made a big investment in 
policies and technologies that will protect patient privacy. 
Why is--and I think Ms. McGraw spoke to this--patient privacy 
so important in health care? How does it affect treatment?
    Ms. Myrold. Well, I think, number one, patients need to be 
comfortable and confident, have confidence in their providers, 
so that when they're in there seeking treatment they want to 
make sure that they're able to disclose everything that they 
need to disclose in order to get the right treatment. Having 
that confidence means that their information is going to be 
protected.
    Reputations are harmed. Over and above all, a provider is 
also a business. So if you want to maintain your patient base 
and attract more patients, you want to make sure that you're 
not one that's in the headlines breaching patient information. 
So it's sensitive data and the right thing to do is make sure 
that you protect that data. There are also mandates, of course, 
that we have to comply with.
    Then at HCMC, one of the things that we have found is that 
if you're encouraging your own employees to seek care 
throughout your clinics and your hospital, the first thing you 
want to make sure is that those employees know that their 
information is going to be protected from other employees.
    Senator Franken. Thank you.
    Ms. McGraw, as you mention in your testimony, HIPAA and the 
HITECH Act are not comprehensive. Health information privacy 
laws don't protect all health information, they just protect 
certain health information when it is in the hands of certain 
kinds of companies or providers. Can you give us examples of 
companies that have a lot of health information which are not 
covered under HIPAA or the HITECH Act, and what kinds of 
information they may have?
    Ms. McGraw. Sure. So just some examples of some entities, 
and they're largely in the Internet space, the examples that we 
know of that are getting increasing amounts of health data that 
would not be covered under HIPAA, either as a covered entity as 
a business associate, would be a personal health record vendor 
like Microsoft's Health Vault. Google had a personal health 
record product but they have since closed that line of 
business. But there's a consortium of employers called Dossia 
that also offers a personal health record to their employees, 
and Dossia is not at all covered.
    PHRs collect data from consumers that they get that they 
either input themselves or that they get from their medical 
providers, because they have a right to get a copy of their 
health data, and so the uptake on these is low to date, but 
it's increasing. It's more than doubled over the past couple of 
years, and we expect it to increase.
    Again, people do searches online for health data. People 
are increasingly using social networking sites in order to 
interact with people who have similar conditions that they do 
and to share concerns about diseases and symptoms, and none of 
those entities would be covered under HIPAA, yet they are 
getting increasing amounts of health data, very sensitive 
health data in some circumstances.
    Senator Franken. If these entities aren't covered by HIPAA 
or the HITECH Act, I'd like for you to tell us what kind of 
protection information held by these entities have under 
Federal law. Could these companies sell this information to 
third parties?
    Ms. McGraw. Sure. So one thing that HITECH did do for at 
least the personal health record vendors was to say if you as a 
PHR vendor breach data, then you have to notify the individual 
and the Federal Trade Commission of the breach. But that was 
the extent of the protections that are applied to this 
particular part of the ecosystem. So, just the PHR vendors and 
just breach notification.
    So as a result, what you have is the Federal Trade 
Commission's traditional authority to crack down on unfair and 
deceptive trade practices. So in your privacy policy as a 
company, if you say I will not sell your data and then you sell 
it, then the FTC has the authority to come after you for 
violating the terms of your privacy policy. But if you make no 
commitments with respect to the sale of data or you say 
outright, I'm going to sell your data, there certainly isn't a 
law that prohibits you from doing that.
    Senator Franken. Thank you. That makes sense.
    Ms. Myrold, the last part. In the past, Ms. McGraw and 
others have called for health care providers, insurers, and 
other entities covered by HIPAA and the HITECH Act to place 
tighter restrictions on the health information they share with 
their business associates. My understanding is that Hennepin 
County Medical Center has actually been a model in this regard 
and that you place very high restrictions on what your business 
associates can or cannot do with the health information they 
receive. Can you describe that policy?
    Ms. Myrold. Certainly. HCMC does have a very tight process. 
We actually require all of our vendors to define for us which 
PHI--Protection Health Information--that they are in need of, 
how they are going to be using that Protected Health 
Information. Basically relying on what HIPAA has as the minimum 
necessary rule, we're only going to allow them access to what 
it is they need in order to perform the services for us that 
they're going to be performing.
    If a privacy--or if a vendor is actually going to be 
accessing, like I mentioned the long-term care facility 
earlier, we actually provide them privacy training as well. 
It's required prior to their actually accessing our electronic 
health record. Then of course we also ask for them to comply 
with any security requirements. We used to ask for them to pay 
for a third-party vendor to get a current security assessment.
    Now that was actually quite difficult for some of the 
vendors, and so what we're asking for now is that even if 
they've performed some kind of an internal security assessment, 
we want something that's been done within that past year. So if 
we're accessing through VPN tunnels, or however we're going to 
be sharing data through portals, however, we're going to be 
sending them information, we want to make sure that that's 
secure and they have that set up within their own technology.
    Senator Franken. Ms. McGraw, would you like to explain how 
business associate agreements could be crafted more narrowly 
and whether you think this is a change that should be pursued 
through statute or regulation?
    Ms. McGraw. Sure. So the way that business associate 
agreement could be crafted more narrowly would be to emphasize 
that the agreements have to specify the permitted uses of the 
data and not--to me the regs err on the opposite side of that 
question, which is to say the agreement must say what cannot be 
done with the data, which means if it's not prohibited and as 
long as it's within the confines of what's permissible under 
HIPAA, then it can be done.
    That's why we've heard some anecdotal reports of business 
associates who essentially have provisions in their contracts 
that say we can use this data to meet our business purposes. So 
since the agreement doesn't prohibit them from using data in 
certain ways, they could do so based on the contract that they 
have.
    I think we would much prefer to have a provision that 
requires some defining of the permissible uses versus, stating 
that you can do it unless it's prohibited. This is absolutely 
accomplishable by regulation, but I think it's always helpful 
when Congress sends a signal to the regulators about what it 
would like to see. It can be accomplished from a legal 
standpoint through a reg, but we certainly would not--we would 
be willing to work with you on legislation that would provide a 
more clear signal to the Department about what Congress wants 
to see.
    Senator Franken. Thank you.
    Senator Whitehouse.
    Senator Whitehouse. Thank you, Chairman.
    Ms. Myrold, we suffer from the price of new technologies 
pretty often. The casualties in automobiles are a significant 
issue, but the value to the U.S. of the automobile is pretty 
widely respected by everybody. With respect to health 
information technology, a lot of Americans are seeing the 
privacy cost of things going wrong and of private health 
information escaping, but often don't have the same access to 
the value of health information technology that one does from 
the experience of driving a car.
    I've been involved with provider groups in Rhode Island, 
like the Aquidneck Medical Associates and with community health 
centers like Thundermist, and nursing homes, and a whole 
variety of health care providers who have had a common 
experience, which is that it is a real pain in the neck to get 
onto electronic health records, but once they are, they can't 
possibly imagine going back to the bad old days of paper files.
    I'm just wondering for the record of this hearing what your 
experience has been, on balance, with the Hennepin County 
Medical Center's transition to electronic health records and 
more advanced health information technology. On a net basis, 
how good a thing has it been? Would you consider going back?
    Ms. Myrold. I don't think they'd ever consider going back. 
I think that's basically because patient safety is number one. 
If you have access to all the medications that a patient is on 
in one chart, or if you have a number of providers that can be 
accessing that chart, say consulting from one department to 
another and they're looking at the same chart, that's going to 
provide you much better patient care.
    It was a very high cost to implement this, and like I said, 
it's a public hospital, and so it's not as if there was a lot 
of extra dollars there. But they chose knowing, and after going 
through quite a significant selection process and design 
process, that this was going to definitely aid in their 
critical care of their patients.
    Senator Whitehouse. Thank you.
    Ms. McGraw, you came here to lobby us, but I'm going to 
lobby you back.
    Ms. McGraw. Oh. Oh, good.
    Senator Whitehouse. The Center for Democracy and Technology 
is an important voice in these issues, and I feel very strongly 
that we stand to gain immense advantage from a much more robust 
health information infrastructure. In the earlier panel, we 
talked a little bit about the law enforcement investigative 
advantage, which would not exist if it were not for that. Ms. 
Myrold just talked about a patient safety advantage. I think 
that the day will come fairly soon when a robust-enough health 
information infrastructure will support personalized medicine 
apps.
    So in the same way you've got an iPhone now and you can 
download an app to it, there will be competition with apps that 
will help individual patients through their course of 
treatment, particularly where they have chronic conditions, and 
will help doctors make sure that things aren't forgotten, a 
little bit the way a pilot does a checklist before take-off.
    Too much of what goes wrong in health care goes wrong 
because those simple, preventable things don't get done. I 
think that the time will come very soon when there is enough 
information out there that we will learn an enormous amount, or 
perhaps even create new industries, out of looking at all that 
health information and being able to figure out what's a 
strange anomaly, why is that happening, why is this good thing 
associated with these conditions or this bad thing associated 
with those conditions, and we'll learn from that.
    If we're going to do that we have to have good access to 
that health information data. It has to be de-individualized. 
Nobody needs to know that it's Deven McGraw's data, they simply 
need to know that a person with these characteristics has this 
circumstances.
    Ms. McGraw. Yes.
    Senator Whitehouse. So I hope that the Center for Democracy 
and Technology will be an energetic advocate for the 
propagation of a robust health information infrastructure, 
knowing that there are these critical fault lines where 
patients have to be protected not only in their individual 
data, but also when it's being looked at in the aggregate. Are 
you comfortable that the way that--we're adequately poised to 
be able to review that aggregated data in a de-individualized 
way so that privacy is not impinged by that process?
    Ms. McGraw. Right. Well, we--thank you very much for that 
question, Senator. We at CDT have enjoyed a very good working 
relationship with you and your staff over many years. The 
reason why we do this work is because we believe so completely 
in the power of technology to be transformative in this regard, 
and the idea of privacy is to enable that transformation, to 
make sure that consumers trust it enough to be comfortable with 
their data being part of it, whether it's an identifiable form, 
which it needs to be in some circumstances, but much more often 
it doesn't need to be identifiable.
    It can be de-individualized, which I actually like that 
term very much because it's different from de-identification, 
which is a HIPAA term of art. We have done work in the past, 
and we're continuing to do work, on issues of how you can make 
sure that data is not uniquely identified to an individual but 
can still--but you can still robustly use it to do comparative 
effectiveness research, to examine trends, even for business 
analytics.
    I mean, data drives good decision making, and it should be 
doing that in health care, too. So we're convinced. Whatever 
more we need to do, we'd be happy to work with you on that. But 
that is our central philosophy, that the technology is good. 
The use of the Internet by people to improve their health is 
good. We need to makes sure it's a trustworthy environment so 
that everybody is comfortable in that space.
    Senator Whitehouse. Good. Well, I appreciate that. I'm at 
the age where I can remember before word processing, I can 
remember when the Selectric typewriter was a big deal. 
Certainly I can remember pre-Google. My kids, you know, look at 
my description of the pre-Google environment and just say, 
``Dad, you're so weird.'' They kind of don't get that there was 
ever a point when we could have been so primitive that you 
couldn't just Google something and, poof, there it was in front 
of you.
    I think that the same thing is going to happen in health 
care, that we're in the pre-Google moment with respect to 
personalized health care, supported by individual applications 
that are supported by a robust health information 
infrastructure. The time will come, I think before my kids have 
kids, so that they don't have to, on this particular subject, 
be told by their kids, Mom, Dad, you're so weird. But thank you 
for helping that day come sooner.
    Senator Franken. I was the first writer on ``Saturday Night 
Live'' to get a word processor. Thank you, Senator Whitehouse.
    [Laughter.]
    Senator Franken. Senator Blumenthal.
    Senator Blumenthal. Senator Whitehouse and Senator Franken 
are so much older than I; I have no idea about those days.
    [Laughter.]
    Senator Blumenthal. Not.
    [Laughter.]
    Senator Blumenthal. But my kids still think I'm weird.
    Senator Whitehouse. He did a lot of arguing in front of the 
U.S. Supreme Court. When he started, the quill that they give 
you was for real.
    [Laughter.]
    Senator Blumenthal. It's close to the truth.
    I am struck, Ms. McGraw, by one of the observations in your 
testimony. And let me just say, both of your written 
testimonies are absolutely superb. I know that you haven't 
covered all of it in your conversation with us, but I am very 
grateful for it and will follow up on a number of the points.
    But one of the points that struck me is your observation 
that ``the health care industry appears to be rarely encrypting 
data.'' You then observed, ``To the best of our knowledge, no 
one has done a comprehensive study of the reasons why the 
health care industry has not embraced the use of encryption.'' 
What possible justification can there be? Doesn't that fact 
itself cry out for the kind of data breach protection with 
strong remedies and enforcement and penalties if they fail to 
encrypt data?
    Ms. McGraw. So we clearly think it does. We thought that 
providing an exception in the breach notification provision 
that was enacted on both HIPAA-covered entities and for the 
personal health record vendors, provided an exception for 
entities that adopt encryption, would be a very strong 
incentive for them to adopt encryption.
    What we see from the breaches that have been reported for 
HIPAA-covered entities since 2009 is that, as was mentioned 
earlier, a good two-thirds of them are due to theft or loss of 
media that is an attractive target for theft or is easily lost, 
like the thumb drive that Senator Franken held up in his 
opening statement, or laptops. Geez, how many stolen laptops 
have we had? You had the number in your opening remarks. There 
are a number of them. Or hard drives that either can be easily 
walked out the door if nobody's looking or are inadvertently 
left in computers that are being sold or given away.
    So that's why I say it looks like encryption is rarely 
happening. The best reasons that I've been given, just through 
anecdotal remark, are it slows down access to data sometimes 
and it's expensive, and it can be expensive if you're talking 
about encrypting an entire server because that's a lot of data.
    But it's not that expensive to encrypt a thumb drive, and 
it's not that expensive at all to require people to sign onto a 
secure server to get access to the data so they don't have to 
have it on portable media to begin with. So we have really 
tried very hard to provide incentives to encrypt and not to 
have a hard-core requirement to encrypt on the health care 
industry in order to make concessions in areas where it might 
be too expensive for some health care providers or it might 
slow down access to data where instantaneous access is pretty 
critical.
    Yet, even on portable media where you don't have the timing 
issues and you don't have the cost issues, it's not happening. 
We would like to see more done in this regard, whether it's in 
the form of some more specific requirements or whether more 
guidance about when the Office of Civil Rights expects entities 
to encrypt. I think that would also be helpful.
    Senator Blumenthal. And I gather from both your written 
testimony and from your responses to my questions and Senator 
Franken's that you would certainly not object, you might even 
recommend, to many of the entities not now covered under HIPAA 
also be included in these protections, both as to encryption 
and any other requirements for systematic safeguarding of this 
information.
    Ms. McGraw. Absolutely. We wholly supported the provision 
in your bill on breach notification that it include health 
data. We thought that was an important advance. We have 
similarly supported consumer privacy bills that are pending, 
largely in the House, quite frankly, to do--provide, you know, 
a more comprehensive set of privacy protections for consumer 
data that of course would include health data, but also include 
financial data and other personal information that people 
routinely share. So we are absolutely supportive of that. This 
environment, the wild, wild west for data is not an environment 
of trust.
    Senator Blumenthal. And not one conducive to the spread and 
reliance on IT.
    Ms. McGraw. That's correct.
    Senator Blumenthal. Let me turn to another area that I 
think is important and certainly is worth a lot more than the 
two minutes I have remaining, but again I will follow up with 
you. You know, as a former enforcer, I was the attorney general 
of the State of Connecticut--in fact, I think the first 
attorney general to enforce the HIPAA protections under HITECH 
and a former U.S. Attorney--I happen to believe that these laws 
are useful only to the extent they are rigorously enforced and 
that they have effective penalties.
    So in terms of enforcement, maybe I could ask for both of 
you to make some observations about whether or not laws so far 
have been effectively enforced as widely and rigorously as they 
should be, and whether you think additional penalties should be 
included.
    Ms. Myrold. Well, Senator Blumenthal, I think that 
listening to the previous two speakers I began to wonder, 
what's wrong with the current enforcement provisions and why 
aren't we enforcing anything under the privacy rules? Are the 
facts not fitting within the context of the statute, or what's 
actually--is it not a big enough case? What's really going on 
there? Why aren't people encrypting? Why aren't business 
associates complying?
    I think a big reason is the final rules aren't here. We 
don't have final rules in, what, three areas? I think people 
just--they've lost credibility. People aren't taking it 
seriously. Until we actually get those final rules and people, 
knowing that they're going to actually be enforced, you're 
probably not going to see a lot more compliance. It's a big 
issue.
    Senator Blumenthal. Ms. McGraw.
    Ms. McGraw. I would completely--what she said.
    Senator Blumenthal. So quote you.
    Ms. McGraw. Ditto.
    Senator Blumenthal. We need the rules.
    Ms. McGraw. Yes, we need the rules. We need the rules.
    Senator Blumenthal. That was part of your opening 
statement.
    Ms. McGraw. Yes. And I would echo something else that she 
said when she talked about model policies. Like, more guidance 
is always helpful to the field. I think we're always going to 
have the law a little bit behind where the technology is going, 
but we can refresh by, you know, periodically putting out to 
the field what we expect of them rather than waiting for them 
to do something that looks more like a violation.
    Senator Blumenthal. Thank you.
    Senator Franken. Thank you, Senator.
    And I want to thank you both for your testimony and for 
your work. I'm very proud of representing you, Ms. Myrold. And 
thank you for your work, Ms. McGraw.
    In closing, I want to thank the Ranking Member, Senator 
Coburn, and I want to again thank all the witnesses that 
appeared with us today.
    I think there are few kinds of information more sensitive 
than health information, and technology has given us this 
wonderful opportunity to harness that information in a way that 
will make health care easier and more effective. I just want to 
make sure that we're getting all of those benefits. I think 
that what Ms. McGraw is saying and what you are acting on at 
HCMC is that when patients can be assured that there's privacy, 
that's when this electronic health information can be put to 
its fullest benefit. I think the benefits are clearly manifest.
    Like I said at the start of this hearing, I do believe we 
can do more to protect our information, both in terms of the 
laws we have on the books, and we need regs. I think you said 
``we need the regs, we need the regs, we need the regs.'' We're 
the Senate. You could have just said it once. We would have 
heard you.
    [Laughter.]
    Senator Franken. But anyway, there is work to be done here. 
We will hold the record open for one week for submission of 
questions for the witnesses and for other materials.
    This hearing is adjourned.
    [Whereupon, at 4:03 p.m. the hearing was adjourned.]
    [Questions and answers and submissions for the record 
follow.]
                            A P P E N D I X

              Additional Material Submitted for the Record

[GRAPHIC] [TIFF OMITTED] T7166.001

                    Prepared Statements of Witnesses

[GRAPHIC] [TIFF OMITTED] T7166.002

[GRAPHIC] [TIFF OMITTED] T7166.003

[GRAPHIC] [TIFF OMITTED] T7166.004

[GRAPHIC] [TIFF OMITTED] T7166.005

[GRAPHIC] [TIFF OMITTED] T7166.006

[GRAPHIC] [TIFF OMITTED] T7166.007

[GRAPHIC] [TIFF OMITTED] T7166.008

[GRAPHIC] [TIFF OMITTED] T7166.009

[GRAPHIC] [TIFF OMITTED] T7166.010

[GRAPHIC] [TIFF OMITTED] T7166.011

[GRAPHIC] [TIFF OMITTED] T7166.012

[GRAPHIC] [TIFF OMITTED] T7166.013

[GRAPHIC] [TIFF OMITTED] T7166.014

[GRAPHIC] [TIFF OMITTED] T7166.015

[GRAPHIC] [TIFF OMITTED] T7166.016

[GRAPHIC] [TIFF OMITTED] T7166.017

[GRAPHIC] [TIFF OMITTED] T7166.018

[GRAPHIC] [TIFF OMITTED] T7166.019

[GRAPHIC] [TIFF OMITTED] T7166.020

[GRAPHIC] [TIFF OMITTED] T7166.021

[GRAPHIC] [TIFF OMITTED] T7166.022

[GRAPHIC] [TIFF OMITTED] T7166.023

[GRAPHIC] [TIFF OMITTED] T7166.024

[GRAPHIC] [TIFF OMITTED] T7166.025

[GRAPHIC] [TIFF OMITTED] T7166.026

[GRAPHIC] [TIFF OMITTED] T7166.027

[GRAPHIC] [TIFF OMITTED] T7166.028

[GRAPHIC] [TIFF OMITTED] T7166.029

[GRAPHIC] [TIFF OMITTED] T7166.030

[GRAPHIC] [TIFF OMITTED] T7166.031

[GRAPHIC] [TIFF OMITTED] T7166.032

[GRAPHIC] [TIFF OMITTED] T7166.033

[GRAPHIC] [TIFF OMITTED] T7166.034

[GRAPHIC] [TIFF OMITTED] T7166.035

[GRAPHIC] [TIFF OMITTED] T7166.036

[GRAPHIC] [TIFF OMITTED] T7166.037

[GRAPHIC] [TIFF OMITTED] T7166.038

[GRAPHIC] [TIFF OMITTED] T7166.039

[GRAPHIC] [TIFF OMITTED] T7166.040

[GRAPHIC] [TIFF OMITTED] T7166.041

[GRAPHIC] [TIFF OMITTED] T7166.042

[GRAPHIC] [TIFF OMITTED] T7166.043

[GRAPHIC] [TIFF OMITTED] T7166.044

 Questions for Deven McGraw, Leon Rodriguez, and Kari Myrold Submitted 
                         by Senator Al Franken

[GRAPHIC] [TIFF OMITTED] T7166.045

[GRAPHIC] [TIFF OMITTED] T7166.046

[GRAPHIC] [TIFF OMITTED] T7166.047

 Responses of Deven McGraw to Questions Submitted by Senator Al Franken

[GRAPHIC] [TIFF OMITTED] T7166.048

[GRAPHIC] [TIFF OMITTED] T7166.049

   Responses of Leon Rodriguez to Questions Submitted by Senator Al 
                                Franken

[GRAPHIC] [TIFF OMITTED] T7166.050

[GRAPHIC] [TIFF OMITTED] T7166.051

[GRAPHIC] [TIFF OMITTED] T7166.052

[GRAPHIC] [TIFF OMITTED] T7166.053

 Responses of Kari Myrold to Questions Submitted by Senator Al Franken

[GRAPHIC] [TIFF OMITTED] T7166.054

                Miscellaneous Submissions for the Record

[GRAPHIC] [TIFF OMITTED] T7166.055

[GRAPHIC] [TIFF OMITTED] T7166.056

[GRAPHIC] [TIFF OMITTED] T7166.057


                                   


